Allow different users into ES with kibana?

[fnzv]

Hi,
I'm trying your plugin to add a layer of security into ES and divide each user to see his own data via kibana dashboard.
I installed the plugin and worked fine with the use case 2 configuration(kibana) then i wanted to restrict the single users with indices permissions so i used this configuration to test as admin user:

readonlyrest:
    enable: true
    response_if_req_forbidden: Sorry, your request is forbidden.
    access_control_rules:

    - name: Just certain indices, and read only
      type: allow 
      indices: [logstash*,.kibana*] 
      kibana_access: rw
      auth_key: admin:passwd3

But it doesn't work, and on kibana dashboard i get plugin:elasticsearch Authentication Exception in the status page even if on the kibana .yml configuration i added :

 elasticsearch.username: admin
 elasticsearch.password: passwd3

And on logstash(with authentication):
message=>"[401] Sorry, your request is forbidden."

Another "bug" i found is that using your use case 1 configuration won't start on ES unless you comment\delete this line:
actions: [cluster:*, indices:data/read/*]

My ACL configuration should be something like this:
User has permission to read/write only on his data(logstash-user-* and kibana)
Admin has permission everywhere

ES version: 2.3.1
Plugin: 1.9.1 for 2.3.1

[sscarduzio]

Sorry for the delayed response, I've been super busy this week.

About the configuration exception, you need to wrap the wildcard strings in double quotes (sorry, crappy docs kills again).

e.g.

actions: ["cluster:*", "indices:data/read/*"]

Tell me how it goes! 👍

[and1990]

@sscarduzio hello.my config is like this.

name: dev (read only, but can create dashboards)
type: allow
kibana_access: ro+
actions: ["cluster:", "indices:data/read/"]
auth_key: dev:dev

if i append 'actions: ["cluster:", "indices:data/read/"]', i can not login with user dev. why?

[sscarduzio]

you forgot the star! it's "cluster:*" not "cluster:", and the same for indices:data/read/

[and1990]

@sscarduzio Actually,my config is ["cluster:*", "indices:data/read/*"],but the view without "*",because of the editor.
And i have another question, when i started a logstash instance(output is the elasticsearch), it occurred an auth exception. What should i do with this? should i add user and password in the logstash config too?

[sscarduzio]

About Logstash HTTP auth

https://www.elastic.co/guide/en/shield/current/logstash.html#ls-http-auth-basic

About the conf problem

Not sure what you wanted to do with the actions rule, but this should work for a kibana admin and a logstash reader.

readonlyrest:
    enable: true
    response_if_req_forbidden: Sorry, your request is forbidden.
    access_control_rules:

    - name: RW Kibana
      type: allow 
      kibana_access: rw
      auth_key: admin:passwd3

  - name: dev (read only, but can create dashboards) for logstash indices
    type: allow 
    kibana_access: ro+
    auth_key: dev:dev
    indices:[".kibana*", "logstash*", "default"]

[sscarduzio]

BTW good point about logstash, I added to the README example 2

[and1990]

Question 1:
when i append ["cluster:*", "indices:data/read/*"]in my elasticsearch.xml, i can not login with the appiont user.

Question 2:
user => "logstash" password => "logstash"
when i append the config in my logstash output, it still shows [401] <h1>Forbidden</h1>.

you should debug by yourself first.

[sscarduzio]

Please see the updated, tested example 2. It needs the latest plugin version 1.9.3 (see download link in the README.md as well).

IMPORTANT: read again the instruction, I included a note to this bug which was making my Kibana go in a code 401 loop:
elastic/kibana#2814